Overview
Single Sign-On (SSO) allows your firm to simplify and secure the login experience by enabling users to sign in using an existing identity provider. Instead of managing separate usernames and passwords, users can authenticate using trusted providers like Google or Microsoft.
SSO is especially useful for firms that want to:
Improve security by reducing password-related risks
Simplify user access across systems
Streamline onboarding and offboarding for team members
Who Can Enable SSO
SSO is managed at the firm level
Only Admin or Super Admin users can enable or disable SSO
How to Enable SSO
Follow these steps to enable Single Sign-On:
Go to Settings
Select Firm Info
Scroll to the Enable SSO section
Toggle Enable SSO to ON
Choose your preferred provider:
Google
Microsoft
Supported Identity Providers
Google – Sign in using a Google account
Microsoft – Sign in using a Microsoft account
Users must have an active account with the selected provider to sign in successfully.
What Happens After SSO Is Enabled
Domain-Based Login Rules
Users whose email domain matches the firm domain:
Are prompted to connect their account with the selected SSO provider
Must log in using SSO only
Email and password login is disabled
Users whose email domain does not match the firm domain:
Continue to log in using email and password
Are not allowed to log in using SSO
Example
Your firm domain is set as @abcaccounting.com and SSO is enabled.
John signs up with john@abcaccounting.com
John is prompted to connect his account with the firm’s SSO provider.
He must log in using SSO going forward.
Email and password login is disabled for him.
Say, Sarah is invited with her personal email sarah@gmail.com
Since her email domain is a different than the firm domain, she won't be able to log in using SSO but username and password.
This ensures that internal firm users follow secure SSO access, while external users continue with standard email-based login.
Multi-Firm Access
Users can access multiple firms with a single login
If any firm the user belongs to has SSO enabled
SSO login applies.
If none of the user’s firms match the SSO domain:
Email and password login continues to apply
Example
Alex has one Xenett login and access to two firms:
ABC Accounting (SSO enabled with domain
@abcaccounting.com)XYZ Consulting (no SSO enabled)
Scenario 1: One firm has SSO enabled
Alex’s email is alex@abcaccounting.com
Since ABC Accounting has SSO enabled and Alex belongs to that firm:
Alex must log in using SSO
Email and password login is disabled
Scenario 2: No firms have SSO enabled
Alex’s email is alex@gmail.com
Neither ABC Accounting nor XYZ Consulting has SSO enabled for his email domain:
Alex continues to log in using email and password
SSO login does not apply
This ensures a single login experience while enforcing SSO wherever it is required by any firm the user belongs to.
Invites Behavior
When SSO Is Enabled
Same-domain users (based on the admin’s firm domain):
Invitation includes an SSO login link
Displays the selected provider button (Google or Microsoft)
Non-domain users:
Invitation includes the standard Accept Invitation button
Users complete setup using email and password
When SSO Is Disabled
All invitations follow the normal login flow using email and password
Users receive the Accept Invitation button as usual, without SSO
Disable SSO
Admin or Super Admin users can disable SSO from Firm Info
Existing SSO users can continue logging in via SSO without interruption
New users or new invites created after SSO is disabled:
Follow the normal email/password login flow
Important Notes
SSO behavior is determined by email domain matching
Only one SSO provider can be active at a time
